Millions affected by B.C. health data breach

VICTORIA – The personal-health data of more than five million British Columbians has been accessed without proper authorization, and in the most serious cases, the provincial government says it will notify more than 38,000 individuals of the breaches by letter.

As part of an ongoing probe into research-grant practices between ministry employees and researchers at the universities of B.C. and Victoria, Health Minister Margaret MacDiarmid announced Monday three specific instances of data breaches in October 2010 and June 2012.

In each case, health data — excluding personal names, social insurance numbers or financial information — was saved on USB sticks and shared with researchers or contractors without the proper permission or protocols, said MacDiarmid.

Ministry policies requiring the USB sticks be encrypted and password protected were also not followed, she added, and one incident breached an agreement with Statistics Canada.

“I take this very seriously, but I do feel that I can be reassuring,” said MacDiarmid.

“We don’t believe there is a great risk to individuals with this information because there is no evidence at all that the information has been used for anything other than health research.”

Nonetheless, MacDiarmid said the ministry has contacted the individuals involved or their legal representatives and asked the information be returned.

Already, as a result of the investigation launched in September, the ministry has fired seven employees, sparking two separate lawsuits.

In the most serious case, in June 2012, the personal health numbers, gender, dates of birth and postal codes of 38,486 people was shared with an individual, said MacDiarmid.

Also included was data from Statistics Canada’s Canadian Community Health Survey, including information on the mental, physical and sexual health of individuals, as well as their lifestyles and the use of health services.

During the same month, a contractor was given a USB stick holding the plain-text data of five-million individuals, including information on their personal health numbers, gender, age group, lengths of hospital stays and the amounts spent on various categories of health care.

The USB stick also included information on some health conditions, and whether, for example, an individual had been diagnosed with diabetes.

MacDiarmid said the third case took place in October 2010 when a USB stick containing the personal health numbers of 21,000 people and the diagnostic information for 262 chronic disease or conditions was created and shared with a researcher without a data request and in contravention of ministry policies.

MacDiarmid declined to speak about a number of other breaches uncovered during the investigation, and said the ministry is tracking the probe’s cost, noting she could not provide any firm numbers.

MacDiarmid said her ministry decided to write the letters following discussions with the Office of the Information and Privacy Commissioner.

Elizabeth Denham, the information and privacy commissioner, also said Monday her independent investigation should be complete in the coming weeks, and she will then issue a public report with findings and recommendations.

In December, Ron Mattson, one of those fired, announced he would sue MacDiarmid and the province in an attempt to get his reputation back. Mattson alleges wrongful dismissal, wrongful withholding of pay and defamation in his B.C. Supreme Court lawsuit.

The ministry is also facing a defamation lawsuit from Malcolm Maclure, a director of research and evidence development with the ministry’s pharmaceutical services division.

MacDiarmid said the ministry has hired a private consulting firm to review its data-security measures.